PCI Compliant Hosting Requirements: 12-Point Checklist

Kent Roberts
by Atlantic.Net (60posts) under PCI Hosting

The Payment Card Industry Security Standards Council develops standards that outline the proper protection of data in today’s security climate. These specifications form the basis of PCI compliant hosting requirements. Compliance with the PCI Data Security Standard (PCI DSS) is necessary for merchants and other entities that process payment cards, transmit that data, or store it.

Since PCI compliance is critical for so many parties, below is a list of PCI compliant server requirements.

The PCI council’s recommendations form the basis of this 12-point checklist of PCI compliant server requirements, which should be considered highlights rather than comprehensive.

Installed and properly configured routers and firewalls

When you join multiple networks together, you need a router. When you want to control the traffic entering and leaving a network, or to keep people from getting into certain critical areas, you need to integrate a firewall. Implementation of firewalls and systematic setup of routers and firewalls to better control traffic flow is one of the most fundamental PCI compliant hosting requirements.

Replacement of all default passwords

If a hacker can just use a list of default passwords or exploits that prey on systems with out-of-the-box settings, your system is vulnerable. When an individual or organization wants to enter your infrastructure, they match together easily accessible default details with software that shows them all the devices connected to your network. When you deploy a new system, switch out those default settings and passwords right away.

Defenses on any PCI information in storage

Storage of cardholder data is generally not recommended by the PCI standards. The data that is on the chip or stripe should never be put into storage. If your organization does store permanent account numbers, or PANs (in this case payment card numbers), they should be encrypted. When displayed, PAN should be masked. Users should only be able to observe, maximum, the first 6 digits and last 4 digits.

Encryption of data transmission on any public networks

Whenever sending cardholder data through any public network (including the Internet, WiFi, general packet radio systems, global systems for communications, etc.), use IPsec or SSL/TLS to encrypt. Strong encryption should be implemented both for authentication and for data transmission. If you want a sense of best practices for these PCI compliant server requirements, the PCI Council points to IEEE 802.11, which is a set of standards for wireless local area networks (WLAN).

Regularly used & updated antivirus

There are plenty of opportunities during the course of business for downloads of malicious applications, through email or web browsing. Antivirus and anti-malware programs detect the activities of known malicious software. In fact, the best companies now work with predictive analytics and artificial intelligence to detect malware before it spreads. Deploy these tools on all systems, and select a solution that creates audit logs.

Maintenance of secure software and systems

A hacker could get into a system or program with security weaknesses, potentially allowing them to steal or view PAN. When the developer of a product or platform releases a patch, it should be immediately installed since it solves a known problem. Patches should be implemented on critical systems first, followed by less critical systems, adhering to a vulnerability management program. Note: You can further confirm that you are meeting security-related PCI compliant hosting requirements by choosing one with SSAE 16 audited data centers.

Business need-to-know access control

Employee roles and business need-to-know should guide the development of access controls so that unauthorized use does not occur. The basic idea of need-to-know is that you only give the extent of privileges and amount of data to a user that is necessary to conduct their tasks. Zero Trust should be integrated into your access control system, as indicated by the PCI Council’s instructions to “‘deny all’ unless specifically allowed.”

Unique IDs for everyone with access

You want to be able to know who is doing what within the system, and you want all activities to be easily trackable so that you can monitor and verify. Do not give anyone access to critical systems or data unless you have first given them a unique user ID. A password, passphrase, or multi-factor authentication (MFA) should be used standardly. MFA should be used for remote access. Virtual private networks, tokenization, or authentication and dial-in should be implemented for remote use.

Stringent physical access controls

Data is of course stored on real systems, and access to physical systems presents the opportunity for theft. In order to achieve PCI compliant hosting requirements, the provider’s data center should restrict physical access. Facility entry controls should be used. Before any outsider enters a space in which cardholder data is present or is being processed, they should receive a physical token that they give back prior to departure.

Network and data access monitoring & tracking

Being able to track exactly what a given user is doing by logging all steps they take allows you to perform vulnerability management and forensics in an organized fashion. Logs allow you to analyze something much more specifically and efficiently if there are any issues. They allow you to understand how hacking or other improper use occurs. You want automated audit trails in place so that you can review any activities.

Testing of all security mechanisms

Security gaps are often revealed through hacking. Testing security protocols, hardware, and software will keep you secure long-term. Check to see what wireless devices are being used with a wireless analyzer at least quarterly. Alternately, use a wireless intrusion detection system (IDS). Network vulnerability scans should be performed once each quarter and also following major adjustments within the network. Perform penetration testing annually at a minimum.

Information security policy

Beyond PCI compliant server requirements, you also need personnel interacting with the systems to be well-equipped. Everyone on staff should know their responsibilities for safeguarding sensitive data. Create, update, and distribute an information security policy that lets your employees know about PCI DSS rules. For internal environments, create usage policies to shape expectations for employees and contractors.

Atlantic.Net is here to help!

Contact our knowledgeable sales team today for more information and to get started with your very own PCI-compliant hosting solution. We will work with you to tailor a plan that fits your needs and your budget. Contact us here, via email at [email protected], or by phone at 888-618-DATA (3282).

Related Posts

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4



We use cookies for advertising, social media and analytics purposes. Read about how we use cookies in our updated Privacy Policy. If you continue to use this site, you consent to our use of cookies and our Privacy Policy.